Detections
Analytics

Amazon Linux AMI : mysql55 (ALAS-2016-738)

high Nessus Plugin ID 93016

Language:

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. (CVE-2016-2047)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to UDF. (CVE-2016-0608)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to privileges. (CVE-2016-0609)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Options. (CVE-2016-0505)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. (CVE-2016-0600)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0616)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption. (CVE-2016-3452)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to DDL.
(CVE-2016-0644)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. (CVE-2016-3477)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0596)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0597)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect integrity and availability via vectors related to DML. (CVE-2016-0640)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. (CVE-2016-3521)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect integrity and availability via vectors related to Federated. (CVE-2016-0642)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect confidentiality via vectors related to DML.
(CVE-2016-0643)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to Security:
Privileges. (CVE-2016-0666)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer.
(CVE-2016-0651)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to Replication.
(CVE-2016-0650)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0598)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to PS.
(CVE-2016-0649)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. (CVE-2016-5440)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Connection. (CVE-2016-5444)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect integrity via unknown vectors related to encryption. (CVE-2016-0606)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to PS.
(CVE-2016-0648)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to DML.
(CVE-2016-0646)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. (CVE-2016-0546)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to FTS.
(CVE-2016-0647)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote authenticated users to affect availability via vectors related to Server: DML. (CVE-2016-3615)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect confidentiality and availability via vectors related to MyISAM. (CVE-2016-0641)

Solution

Run 'yum update mysql55' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2016-738.html

Plugin Details

Severity: High

ID: 93016

File Name: ala_ALAS-2016-738.nasl

Version: 2.4

Type: local

Agent: unix

Published: 8/18/2016

Updated: 7/10/2019

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:mysql55-test, p-cpe:/a:amazon:linux:mysql55-embedded-devel, p-cpe:/a:amazon:linux:mysql55-debuginfo, p-cpe:/a:amazon:linux:mysql55-devel, p-cpe:/a:amazon:linux:mysql55, p-cpe:/a:amazon:linux:mysql55-libs, p-cpe:/a:amazon:linux:mysql55-server, p-cpe:/a:amazon:linux:mysql-config, cpe:/o:amazon:linux, p-cpe:/a:amazon:linux:mysql55-embedded, p-cpe:/a:amazon:linux:mysql55-bench

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 8/17/2016

Vulnerability Publication Date: 1/20/2016

Reference Information

CVE: CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0616, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0666, CVE-2016-2047, CVE-2016-3452, CVE-2016-3477, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440, CVE-2016-5444

ALAS: 2016-738